I would like to be able to add a parameter to certain URL requests that go through my DD-WRT router. Specifically, I'm trying to figure out how to force safe search in Google, which means I have to append safe=on to any URL requests that begin with *google*.

I've read about running a server on the router that acts as a proxy. Then on that server I could use mod_rewrite or something similar. I've also read about firewall rules using iptables. Both of these are way over my head, but I can't seem to find any real guidance on this.

Router rewrites are one thing, and interesting, but your specific use case has some holes. There are many, many search engines. How will you censor all of them? And even if you do, there are always proxies, and personal messages, and message boards, and... And off topic here, but consider: is this really a good idea?
–
ire_and_cursesSep 9 '12 at 14:45

@arochester The aim is parental controls. I am using OpenDNS and have configured the router to force any DNS requests to go through OpenDNS. A Linux specific solution will not work as I have many devices on the network.
–
KoverasSep 9 '12 at 19:29

@ire_and_curses Proxies are filtered by OpenDNS. Also, blocking visual search engines in OpenDNS covers Yahoo! images as well as Bing images but not Google. I'm not too concerned with others but most sites can be blocked by URL in the DD-WRT configuration. Google images is not so easy to block by URL because there are seemingly many URL's that go there.
–
KoverasSep 9 '12 at 19:31

1 Answer
1

Why? Google is using HTTPS (SSL) everywhere now. All traffic between the endpoints (browser & Google server) is encrypted and checked for integrity.

The only way to read (let alone modify) encrypted traffic is changing it at or beyond on one of the endpoints. Suggestions in the direction of mod_rewrite are all server-side and you probably don't have access at Google's servers. ;)

Workarounds for this like modifying your local DNS forwarder to answer differently and set up a proxy server with SSL MITM won't work either without adding your own fake CA to every browser. Moreover, using Google Chrome, it's way harder to circumvent this as Google has hardcoded fingerprint signatures to check. Refer to some news regarding the DigiNotar in 2011, for example here.

Back to your objective and the only endpoint you can control here. My suggestion would be to find a browser addon/plugin that will fit your needs and enforce it for the user. For example by modifying the file system permissions for the configuration of it to prevent the user from changing it and disallow any new software installations.

I know it's been months, but I've finally accepted that there isn't a good way to do this. Blue Coat offers products that filter HTTPS traffic, but the only free option is K9 Web Protection which needs to be installed on every device on the network. Other than that, they offer enterprise products for a hefty fee. Like you said, trying to reproduce what they do in their enterprise software is not practical. I've decided instead to set up a dedicated proxy server with DansGuardian installed on it, and block any requests that don't go through the proxy on the router using iptables in OpenWrt.
–
KoverasMar 30 '13 at 22:24